[Samba] idmap limit?

Andreas Hauffe andreas.hauffe at tu-dresden.de
Tue Jan 16 15:20:52 UTC 2018 

Hi,

no, that's my fault. I changed the UIDs and user names in my "ls -l" to 
unpersonalized/example data for my mail and didn't think about putting 
these values into the range. A better unpersonalized data example would 
look like:

----------

drwx------ 43 DOM\user1        DOM\group  4096 Jan 10 08:00 user1
drwx------   5 DOM\user2        DOM\group  4096 Jan 11 08:13 user2
drwx------  3         10234          DOM\group  4096 Sep  7  2015 user3
drwx------  7         10235          DOM\group  4096 Apr 30  2013 user4
drwx------ 12 DOM\user5        DOM\group   4096 Jan  4 12:46 user5
drwx------  2         10236          DOM\group   4096 Jul  1 2015 user6
....

When we run a "wbinfo --uid-info" for an unmapped user, we are getting:

 > wbinfo --uid-info=10234
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 10234

When we run "wbinfo -i" for that user, everything works fine.

 > wbinfo -i DOM\\user3
DOM\user3:*:10234:10001::/home/user3:/bin/bash

After the last command (wbinfo -i DOM\\user3) also "wbinfo 
--uid-info=10234" shows the correct result and the "ls -l" list also 
list the user name instead of the uid.

---------



Am 16.01.2018 um 16:06 schrieb Rowland Penny via samba:
> On Tue, 16 Jan 2018 15:22:44 +0100
> Andreas Hauffe via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> we are running a file server as member server of a windows 2012
>> domain. Now we are facing the problem, that some UIDs are not mapped
>> to the user names by the running winbindd process. This results in
>> "nobody" usernames for nfs shares mounted by other clients.
>>
>> When doing an "ls -l" in the homes directory on the member server
>> (file server), the list looks like:
>>
>> drwx------ 43 DOM\user1        DOM\group  4096 Jan 10 08:00 user1
>> drwx------   5 DOM\user2        DOM\group  4096 Jan 11 08:13 user2
>> drwx------  3           1234          DOM\group  4096 Sep  7  2015
>> user3 drwx------  7           1235          DOM\group  4096 Apr 30
>> 2013 user4 drwx------ 12 DOM\user5        DOM\group   4096 Jan  4
>> 12:46 user5 drwx------  2           1236          DOM\group   4096
>> Jul  1 2015 user6 ....
>>
>> When we run a "wbinfo --uid-info" for an unmapped user, we are
>> getting:
>>
>>   > wbinfo --uid-info=1234
>> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for uid 1234
>>
>> When we run "wbinfo -i" for that user, everything works fine.
>>
>>   > wbinfo -i DOM\\user3
>> DOM\user3:*:1234:1000::/home/user3:/bin/bash
>>
>> After the last command (wbinfo -i DOM\\user3) also "wbinfo
>> --uid-info=1234" shows the correct result and the "ls -l" list also
>> list the user name instead of the uid.
>>
>> So the question is, if there is any limit for the UID to user name
>> mapping in winbind, since the problem started while increasing the
>> number of clients and users.
>>
>> smb.conf looks like:
>>
>> [global]
>>       security = ADS
>>       workgroup = DOM2
>>       realm = DOM2.DOM.EXAMPLE.DE
>>       dedicated keytab file = /etc/krb5.keytab
>>       kerberos method = secrets and keytab
>>
>>       template homedir = /home/%U
>>       template shell = /bin/bash
>>
>>       idmap config * : backend = tdb
>>       idmap config * : range = 2000-2999
>>       idmap config DOM2 : backend = rid
>>       idmap config DOM2 : range = 3000-9999 # UID aus RID für POOL
>>       idmap config DOM : backend = rid
>>       idmap config DOM : range = 10000-9999999 # UID aus RID für DOM
>>
>>       winbind refresh tickets = yes
>>
>> nsswitch.conf looks like:
>>
>> passwd:         compat winbind
>> group:          compat winbind
>> shadow:         compat
>> gshadow:        files
>>
>> hosts:          files dns
>> networks:       files
>>
>> protocols:      db files
>> services:       db files
>> ethers:         db files
>> rpc:            db files
>>
>> netgroup:       nis
>> sudoers:        files
>>
>> idmapd.conf looks like:
>>
>> [General]
>>
>> Verbosity = 0
>> Pipefs-Directory = /run/rpc_pipefs
>> Domain = dom2.dom.example.de
>> Local-Realms = DOM2.DOM.EXAMPLE.DE,DOM.EXAMPLE.DE
>>
>> [Mapping]
>>
>> Nobody-User = nobody
>> Nobody-Group = nogroup
>>
>> krb5.conf looks like:
>>
>> [libdefaults]
>>       default_realm = DOM2.DOM.TU-DRESDEN.DE
>>       dns_lookup_realm = true
>>       dns_lookup_kdc = true
>>
>>
> Is the user '1234' stored in AD or /etc/passwd ?
>
>  From the number '1234' it is not a member of 'DOM' (range
> 10000-9999999), or 'DOM2' (range 3000-9999) or a member of '*' (range
> 2000-2999), it looks like it is probably a local Unix user.
>
> Rowland
>   
>

-- 
Viele Grüße
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe at tu-dresden.de
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the following web address:
http://www.elamx.de

More information about the samba mailing list